Should the Sweet32 check be a potential vulnerability?

Vulnerability QID 38657 - Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) is listed as a confirmed vulnerability. However, it seems that the check is based solely on the supported cipher suites detected. One of the mitigations for this vulnerability is to implement a data size limit per unique session key. This mitigation would not be detected by the check logic and would lead to false positives. Should this check be potential instead?

The ASV guidance in the ASV portal is as follows:ASV Score 2.6 : Currently PCI DSS reference "3DES" as a valid encryption cipher. 112-bit keys are acceptable until 2030 per document NIST SP800-57 part 1 Rev 4.

System Information

Just closing the loop on this post. Thank you for engaging Qualys Customer Support. We have been actively working with engineering to address since the creation of the support case. We will continue to update you via that case.